...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\"	transcript compatibility for postscript use.
...\"
...\"	synopsis:  .P! <file.ps>
...\"
.de P!
\\&.
.fl			\" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl			\" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u	\" move below the image
..
.de pF
.ie     \\*(f1 .ds f1 \\n(.f
.el .ie \\*(f2 .ds f2 \\n(.f
.el .ie \\*(f3 .ds f3 \\n(.f
.el .ie \\*(f4 .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie     !\\*(f4 \{\
.	ft \\*(f4
.	ds f4\"
'	br \}
.el .ie !\\*(f3 \{\
.	ft \\*(f3
.	ds f3\"
'	br \}
.el .ie !\\*(f2 \{\
.	ft \\*(f2
.	ds f2\"
'	br \}
.el .ie !\\*(f1 \{\
.	ft \\*(f1
.	ds f1\"
'	br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n 
.TH "\fBflow-receive\fP" "1"
.SH "NAME"
\fBflow-receive\fP \(em Receive flow data with the NetFlow protocol\&.
.SH "SYNOPSIS"
.PP
\fBflow-receive\fP [-h]  [-A\fI AS0_substitution\fP]  [-b\fI big|little\fP]  [-C\fI comment\fP]  [-d\fI debug_level\fP]  [-f\fI filter_fname\fP]  [-F\fI filter_definition\fP]  [-m\fI privacy_mask\fP]  [-o\fI output_file\fP]  [-S\fI stat_interval\fP]  [-t\fI tag_fname\fP]  [-T\fI active_def\fP|\fIactive_def,active_def\fP \&...]  [-V\fI pdu_version\fP]  [-z\fI z_level\fP] \fIlocalip/remoteip/port\fP 
.SH "DESCRIPTION"
.PP
The \fBflow-receive\fP utility is used to receive flows in NetFlow
format\&.  When the \fIremoteip\fP is configured only flows
from that exporter will be processed, this is the most secure and recommended
configuration\&.  When the \fIlocalip\fP is configured
\fBflow-receive\fP will only process flows
sent to the \fI localip\fP IP address\&.  If
\fIremoteip\fP is 0 (not configured) flows from any
source IP address are accepted\&.  Multiple non aggregated PDU versions may
be accepted at once to support Cisco\&'s Catalyst 6500 NetFlow
implementation which exports from both the supervisor and MSFC with the
same IP address and same port but different export versions\&.  In this case
the exports will be stored in the format specified by the -V flag or
whichever export type is received first\&.
 
.SH "OPTIONS"
.IP "-A\fI AS0_substitution\fP" 10
Cisco\&'s NetFlow exports represent the local autonomous system as 0 instead of
the real value\&.  This option can be used to replace the 0 in the export with
the a configured value\&.  Unfortunately under certain configurations AS 0 can
also represent a cache miss or non forwarded traffic so use with caution\&.
.IP "-b\fI big\fP|\fIlittle\fP" 10
Byte order of output\&.
.IP "-C\fI Comment\fP" 10
Add a comment\&.
.IP "-d\fI debug_level\fP" 10
Enable debugging\&.
.IP "-f\fI filter_fname\fP" 10
Filter list filename\&.  Defaults to \fB/ENAQS/var/cfg/filter\fP\&.
.IP "-F\fI filter_definition\fP" 10
Select the active definition\&.  Defaults to default\&.
.IP "-h" 10
Display help\&.
.IP "-m\fI privacy_mask\fP" 10
Apply \fIprivacy_mask\fP to the source and destination IP
address of flows\&.  For example a privacy_mask of 255\&.255\&.255\&.0 would convert
flows with source/destination IP addresses 10\&.1\&.1\&.1 and 10\&.2\&.2\&.2 to 10\&.1\&.1\&.0
and 10\&.2\&.2\&.0 respectively\&.
.IP "-o\fI file\fP" 10
Write to \fBfile\fP instead of the standard out\&.
.IP "-S\fI stat_interval\fP" 10
When configured \fBflow-receive\fP will emit a timestamped
message on stderr every \fIstat_interval\fP minutes
indicating counters such as the number of flows received, packets processed,
and lost flows\&.
.IP "-t\fI tag_fname\fP" 10
Load tags from \fBtag_name\fP
.IP "-T\fI active_def\fP|\fIactive_def,active_def\&.\&.\&.\fP" 10
Use \fIactive_def\fP as the active tag definition(s)\&.
.IP "-V\fI pdu_version\fP" 10
Use \fIpdu_version\fP format output\&.
.PP
.nf
    1    NetFlow version 1 (No sequence numbers, AS, or mask)
    5    NetFlow version 5
    6    NetFlow version 6 (5+ Encapsulation size)
    7    NetFlow version 7 (Catalyst switches)
    8\&.1  NetFlow AS Aggregation
    8\&.2  NetFlow Proto Port Aggregation
    8\&.3  NetFlow Source Prefix Aggregation
    8\&.4  NetFlow Destination Prefix Aggregation
    8\&.5  NetFlow Prefix Aggregation
    8\&.6  NetFlow Destination (Catalyst switches)
    8\&.7  NetFlow Source Destination (Catalyst switches)
    8\&.8  NetFlow Full Flow (Catalyst switches)
    8\&.9  NetFlow ToS AS Aggregation
    8\&.10 NetFlow ToS Proto Port Aggregation
    8\&.11 NetFlow ToS Source Prefix Aggregation
    8\&.12 NetFlow ToS Destination Prefix Aggregation
    8\&.13 NetFlow ToS Prefix Aggregation
    8\&.14 NetFlow ToS Prefix Port Aggregation
    1005 Flow-Tools tagged version 5
.fi
.IP "-z\fI z_level\fP" 10
Configure compression level to \fI z_level\fP\&.  0 is
disabled (no compression), 9 is highest compression\&.   
.SH "EXAMPLES"
.PP
Listen on port 9800 on any local interface for exports from IP address
10\&.0\&.0\&.1, store the exports in \fBflows\fP
.PP
  \fBflow-receive\fP 0/10\&.0\&.0\&.1/9800 > \fBflows\fP
.PP
Listen on port 9800 on any local interface from any IP address, display
the received flows with flow-print\&.
.PP
  \fBflow-receive\fP 0/0/9800 | \fBflow-print\fP
.SH "BUGS"
.PP
It is not currently possible to convert between the aggregated formats (8\&.x)
and the non aggregated formats (1,5,6,7)\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-tools\fP(1)
...\" created by instant / docbook-to-man, Mon 14 Oct 2002, 11:40
